Agency urged to avoid imposing requirements that would increase practice burdens

MGMA provided comments to the Department of Health and Human Services Office for Civil Rights (OCR) in response to the agency’s “Request for Information (RFI) on Modifying HIPAA Rules to Improve Coordinated Care.” This RFI outlined potential modifications to the current HIPAA Privacy Rule, many of which could significantly impact physician practices.

Background

An increasing number of physician practices have acquired EHRs and are leveraging this technology to improve care coordination for their patients and to participate in value-based care arrangements. The HIPAA Privacy and Security Rules laid out a framework to ensure that protected health information (PHI) would be kept confidential and secure. These rules, however, were finalized (HIPAA Privacy in 2003; HIPAA Security in 2005) prior to the widespread use of EHRs and prior to the advancement of value-based care arrangements.
In its letter, MGMA argued that certain provisions of these rules now act as impediments to the efficient communication of PHI. While the Association supported the efforts of OCR to identify and modify provisions that serve as roadblocks to the efficient movement of PHI for patient care, we urged the agency not to establish any new requirements that increase administrative burden on practices.

Key MGMA recommendations

• First, do no harm: MGMA urged OCR to ensure that any modifications the agency makes to HIPAA should not impose additional administrative burdens on physician practices and should demonstrably reduce barriers to care coordination, case management and value-based care.

• Remove the requirement for practices to obtain or make a “good faith effort” to acquire written acknowledgment of the NPP: MGMA argued that obtaining the written acknowledgment of the Notice of Privacy Practices (NPP) or making a good faith effort to obtain it is an unnecessary burden on practices and of little value to the patient. There is no practical use of the acknowledgment, as these forms are almost never reviewed by the patient once collected and few if any patients ever ask to review or modify these forms.

Less burdensome options for sharing the NPP with patients should be allowed including waiving the acknowledgment requirement should the practice post the NPP in a prominent and public area of its facility and on its website. By having the NPP posted on the website, this waiver could then apply to those organizations offering services that do not require the patient to be physically present at the time of service.

• Maintain the current response times to respond to patient requests for a copy of their PHI: Currently, practices have up to 30 days to provide patients their PHI (with the potential of a one-time 30-day extension). MGMA contended that there are multiple reasons why a practice may require additional time to produce a complete medical record for a patient, including that the PHI is often maintained in multiple facilities, numerous computer systems and in different formats. Additionally, by law clinicians have the right to review the medical record prior to it being provided to the patient. This review period, combined with the tremendous variation in practice technology, medical record formats and location of medical records, requires additional time for practices to respond to patient requests. While practices should be encouraged to provide patients a copy of their medical record as quickly as possible, we argued that the current maximum response times should be maintained.

• Do not move forward with accounting of disclosures for TPO: While HIPAA regulations require a practice to provide to any patient who requests it an accounting of all disclosures of their PHI, this report does not need to account for disclosures made for purposes of treatment, payment or healthcare “operations” (TPO). In this RFI, OCR raises the issue of expanding the report to not only include TPO disclosures but also disclosures made on paper and through oral discussions.

MGMA conducted two surveys on the issue of accounting of disclosures, one in 2010 in response to an earlier OCR RFI on accounting of disclosures and a second in January 2019 in response to the current OCR RFI. We presented both sets of survey results to OCR and both show that very few patients are asking for these reports and current EHR technology cannot produce these reports. Our research also indicates that accounting for TPO disclosures will present a significant burden on physician practices. Almost 75% of respondents from our 2010 survey stated that providing an accounting report for three years of patient data would be “extremely burdensome” or “very burdensome.” That number jumped to more than 80% in our January 2019 survey. Should practices be required to track which staff member accessed the PHI, when they accessed it, and the reason or purpose for the access, it would most likely require costly new software and additional personnel and force the practice to manually track much of this information.

We also raised the concern that a potential accounting of disclosures report to the patient could include specific names of individuals within the practice (or any other business associate or covered entity) and the action they took. Releasing this level of information also raises important security concerns for those individuals who may become targets for discontented patients or family members. We contended that healthcare providers and other covered entities must on occasion make decisions about treatment, authorizations and other issues that patients may not understand without proper explanation from the practice. This could lead to unwarranted threats, harassment or even potential physical harm to practice workers.

• Do not require paper records and oral communications in an accounting of disclosures report: While reporting on electronic TPO disclosures itself would be extremely challenging, reporting on disclosures made on paper and orally by practice clinical and administrative staff would be next to impossible.

 • Do not move forward with a mandate requiring a covered provider to disclose PHI to business associates or other entities: OCR raised the issue of requiring practices to disclose patient information to business associates. Clinicians should be permitted to use their professional judgment and determine when it is necessary and appropriate to disclose a patient’s health information.

• In the case of ransomware attacks, educate clinicians, do not penalize them: OCR should not “blame the victim” by considering a ransomware attack an automatic data breach. Rather, MGMA argued the agency should seek to leverage the collective intelligence from these attacks to educate physician practices on how to prevent them from happening and what steps to take should they experience a cyberattack.

• Enhance education for both patients and physician practices: A better understanding of HIPAA regulations will assist both patients and physician practices to better recognize their rights and obligations. Current law permits patients considerable access to their health information, and further education would increase the likelihood that they would take advantage of these rights and practices to more fully understand their responsibilities.

If implemented appropriately, modifications to the current HIPAA Privacy Rules could enhance the ability of physician practices to engage in care management and care coordination activities, both integral to a successful value-based approach to care delivery. In this RFI, OCR outlined a broad set of potential issues for regulatory actions. We encouraged the agency to pinpoint those aspects of the current law that negatively impact the appropriate sharing of clinical data in support of patient care and those issues that add unnecessary administrative burden on physician practices.

At the same time, MGMA cautioned OCR not to proceed with any new initiatives that create additional administrative burden on practices with little or no benefit to the patient. OCR is expected to release proposed regulations later this year.

To read the full letter and to access MGMA member-benefit HIPAA resources, visit mgma.com/hipaa.